7/31/2009 @ 10:00AM

Smart Phones, Dumb Security

The smarter your phone, the dumber criminals need to be to exploit it. That’s the message from the annual BlackHat security conference.

Five different security groups presented new research on mobile devices Thursday that focused mostly on
Apple’s
iPhone,
Microsoft’s
Windows Mobile and
Google’s
Android mobile operating systems. Each group approached the problem of securing mobile devices from a different perspective, but most touched on the same theme: As devices become increasingly complex, it’s harder for all those technologies to play nice. As a result, it’s hard to figure out how the operating systems really work.

“For the first time ever, it’s a hot topic,” says Mikko Hypponen, chief research officer at Helsinki-based security firm F-Secure. “Apple brought out the iPhone, which finally makes smart phones relevant for Americans.”

Compared to previous years, the topic of discussion is moving from mobile applications down to the core mobile operating systems themselves. Three of the mobile talks discussed “fuzzing” techniques for diving deeper into system-level code, and many presented tools that will help push forward public mobile security research.

“The good part of fuzzing is that now that it’s being done before we have actual real, wide-scale attacks–which we don’t have in the mobile world yet–we still have time to fix all the problems,” says Hypponen.

A chat by Zane Lackey and Luis Miras demonstrated a way to spoof SMS messages using the GSM wireless technology used by companies like T-Mobile. That flaw would enable attackers to phish for personal information or, for example, fake a message from your boss.

Another talk, given by iSec researcher Jesse Burns, tore apart Google’s Android and showed people how to use open-source code to figure out what’s going on in their devices. He discussed some common programming errors that lead to vulnerabilities and implored coders to program their applications more securely. Although Android is open-source, the developer community has yet to fully understand it. “They’re getting there,” he says, “but I want to speed that up.”

In a talk by engineers from Flexilis, a Los Angeles-based mobile security firm, researcher John Hering laid out the key factors driving mobile threats: technology advancement, persistent Internet connections and the rise of third-party applications.

Shoehorning complex technologies like wi-fi, BlueTooth and SMS into the same device means that a mobile operating system has to balance a lot of complex technology protocols, a fact that can create unintended consequences that beget security bugs. Always-on devices means that the door is wide open for attack, even while the device is unused and in your pocket.

The proliferation of third-party applications available through places like Apple’s App Store and Google’s Android Marketplace means that sometime-novice programmers can introduce new flaws that can become a foothold for an attack. Disabling signed code, for example, to jailbreak an iPhone means that the device will happily run malicious code.

While cyber criminals have not yet widely exposed mobile security flaws–F-Secure’s Hypponen says the security community has found only 486 malware examples to date–researchers stressed that it’s important to identify the potential problems early on. The fact that mobile devices are used for personal and financial information, that flaws are often consistent across millions of devices and that mobile devices are harder to patch, makes a compelling case why mobile security should be a big concern for businesses and consumers.

“Mobile devices, in my opinion, are the most personal computer–it’s kind of an extension of yourself,” says Hering. “So as sensitive as your desktop is, your mobile device is going to be more sensitive.”

A number of tools were released that should give security researchers more transparency into smart phone software, and thus increase the likelihood that bugs will get stomped out. But while the theme of the day was how little security researchers know about how mobile operating systems work, the talks stressed how consumers know even less.

The lesson consumers must learn? Don’t be passive about mobile security. Update your device to the latest firmware. Disable protocols like BlueTooth are not essential, and don’t install needless applications. “My advice is don’t wait,” says Hering. “Staying on top of that is really going to help you.”